Personally Identifiable Information (PII) is defined (the example below is from NIST) as (emphasis mine)

Information that can be used to distinguish or trace an individual's
identity, such as name, social security number, biometric records,
etc. alone, or when combined with other personal or identifying
information that is linked or linkable to a specific individual, such
as date and place of birth, mother’s maiden name, etc.

How should this be interpreted in the case of a single phone number, not associated to a name?

In other words, if an application is sending bare phone numbers to a server (I am looking at you WhatsApp) without the name of the number owner, is that number still PII?

EDIT: Jonah Benton gave in his answer a very nice summary of the question, I quote him for the sake of clarity

(...) the question refers to a practice where an app on a user's phone
gets access to contacts (...) on the phone and uploads all
phone numbers to the server without also uploading the names
associated with those numbers (despite having access to them.)

What exactly is WA doing? Where is it getting these numbers from?
– Jonah BentonJul 3 '18 at 11:29

@JonahBenton: it is getting the number of the mobile on which the app is installed and the phone numbers in the contacts. The privacy policy states that only numbers are sent, thus my question.
– WoJJul 3 '18 at 15:42

yeah, ok, this is the scenario i hypothesized, so see my answer below. in the scheme of things, that data should be considered pii.
– Jonah BentonJul 3 '18 at 15:46

1

Quoting from the Personally identifiable information of Wikipedia: The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology (described in detail below): ... Telephone number ...
– BakuriuJul 3 '18 at 17:48

1

If it helps, I think a better name for "personally identifiable information" would have been "personally identifying information".
– MehrdadJul 4 '18 at 5:38

So, you're saying that if it's a personal number, that it is PII, because someone might recognize it?
– jpaughJul 3 '18 at 14:03

25

No, what I am saying is if it can be used to distinguish or trace an individual's identity then it is PII! This is the case if a mapping from number-> person exists. Even if no one could recognize it but it belongs to a individual, it is PII.
– JosefJul 3 '18 at 14:05

1

@Michael the case is where the number by itself is enough to act as an identifier
– schroeder♦Jul 3 '18 at 20:07

3

@Michael You can use that number to track an individual across a number of 'contacts' (in the radar sense): That number contacted this number at this and this time, that number registered to this cell tower at this time, etc. With enough observations, this pattern characterises a single individual, even if you do not happen to know their name. In fact, that's exactly the way IMSI-catchers on drones are being used. As another analogy, consider a photograph of one's likeness: It can clearly be a personally identifiable information, even if you don't have a way to look up the person's name.
– RelaxedJul 3 '18 at 20:21

1

@Relaxed Gotcha... it seems to be more of a case of, "this number is PII at such time that we can cross the gap of mapping it to an individual before which it's PII just without a name" which may be done via inference given enough other points of data associated with it. To look at it from another point of view, if you send your attorney to contest a photo traffic violation and the company issuing the ticket doesn't have access to associate your face with a name, they can't prove the two are related, but if you show up to court yourself that association is revealed.
– MichaelJul 3 '18 at 20:27

I don't use WA, so don't know specifically what practice the question refers to, but let's assume that the question refers to a practice where an app on a user's phone gets access to contacts and text history on the phone and uploads all phone numbers to the server without also uploading the names associated with those numbers (despite having access to them.)

Are these uploaded bare numbers, without names, considered PII?

Yes, absolutely.

The server isn't collecting number sequences at random, using them to populate a model of some kind, and then discarding them.

It is building a durable data structure that has entities that are intended ultimately to map to humans, and storing those numbers as metadata with those entities. (Key test- when a contact on the phone has 2 numbers, are those 2 numbers somehow associated with the same durable entity server-side?)

The fact that at a particular zoomed in point in the overall architecture at a particular point in time there isn't a name directly stored with the number in a relational db row is irrelevant.

In the big picture architecture, comprising both client apps and the server, and both the data flows currently in place as well as the data flows that could reasonably easily be put in place without user action- eg an app update that collected names as well could be trivially rolled out without user knowledge or additional permission- big picture, this is an architectural graph that has PII.

Your first paragraph exactly describes the situation. But then you assume that at some point there will be a mapping between a specific, named individual and the number, which according to WA is not the case. On the other hand - the number is unique to a person, which means that WA knows what user87989 is doing, without knowing that user87989 is actually John Brown. Which, per literal reading of the PII and other answers still means that this is indeed a PII.
– WoJJul 3 '18 at 15:47

1

Yes. The definition of PII is intended to be expansive- because it's about privacy. And once permission is given to the app to retrieve contacts information, the fact that the app at this moment in time decides not to retrieve contact name, only number, is immaterial. Once it has permission, it can retrieve name and anything else at any time.
– Jonah BentonJul 3 '18 at 15:54

1

The other point is- the name a user has entered into their contacts for a given number is often a nickname or shorthand or something that uniquely characterizes the relationship, but is not authoritative from an identity perspective. There are plenty of services that FB can give a number to and get quantities of authoritative identity data for. So if the assertion that names are not pulled from contacts, only numbers, is made on privacy grounds, well, that's at best deceptive.
– Jonah BentonJul 3 '18 at 16:18

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

From the definitions section of the aforementioned regulation

Because you can correlate a phone number with a person (owner of the contract) and that number might be unique to that person you should consider it as PII information.

I am saying this as precaution as you never know if it is a public phone number, shared phone or any other use case.

In many cases even if shared number it is still possible to correlate it to a person.

The only one that is not possible is the public phones.

Because we do not know this we cannot take the risk of relaxed security in all other phone numbers that might be uniquely associated to a specific person.

IP address can be also be PII, because we do not know if is a proxy or a router at some home we should treat them as equal.

A more simplistic explanation can be found in the bellow link from the European parliament with examples.

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Yes

Clearly and fundamentally, without any doubt; and with especially strong implications when used in a Social Media context like WhatsApp.

The issue is not whether WhatsApp links this phone number to some name when sending it to their server. The issue is that the information itself (the phone number) is linked to you, a person. PII is not so much about usage, and more about the static information content of some data.

Sure, there are degrees in this. For example, birth dates. If I take a sample of just a random birth date (without any attached information) from one person I meet on the busiest street of a city of 10 million inhabitants, then this birth date probably does not help me identify the person later. But if I do the same in a small classroom, it is highly likely that I can do so. (Birthday paradox nonwithstanding.)

In the case of the phone number, or a social identification number etc., the case is crystal clear - I can immediately identify the single person on the world related to that number (maybe from a phone book, maybe just by calling and getting their name if they don't watch out).

Potentially ominous scenarios for using such bare phonenumbers are plenty; e.g. profiling (by matching with other records that contain the number); discovering groups of people (by grabbing a set of numbers that are somehow grouped inside the application) ; etc.

Yes

A base comparison I've been using is with a client's name, does a piece of information allow me to pick out an individual better or worse than a name? You may have hundreds of 'John Smith's but you'll only ever have one individual per phone number (or, at most, a family) and, therefore, it makes it a more identifying piece of information than the person's name.

Phone numbers can clearly be used to re-identify a person in a later stage of data processing. If you enrich it with enough other data (e.g. subscriptions, website visits, geo-locations) you could possibly even identify the natural person. Some companies link phone-numbers to online advertisement-cookie-ids leading to very rich profiles. Online services (for example movie ticket buying service) are known sell this data as well.

Therefor I think in most cases a phone-number should be considered personal data. So always handling phone numbers as personal data seems the wise thing to do, unless you are 100% sure that you are only processing phone-numbers of public organizations for example.

A phone number is not intrinsically linked to a person. There is no passport number which doesn't belong to a single person, but there are many phone numbers not linked to a identifiable person. And if you cite a law, it has to be interpreted in a legal context.
– JosefJul 4 '18 at 12:20

Removed the citation. But arguing that a phone number is not intrinsically linked to a person sounds the same as the advertisement industry has been doing for cookie-ids and IP-addresses, saying it is not a person. I think the new european laws have the intention to make any data that can re-identify a person personal. I truly believe phone-numbers should fall in the exact same category, that is why I linked to article 4: gdpr-info.eu/art-4-gdpr
– Niels van ReijmersdalJul 4 '18 at 13:28

2

You are trying to fit the situation to the definition. An "identification number" is a number used for identification. There is more than enough in Article 4 (and its recitals) to justify phone numbers as being PII, but you do not need to stretch an existing definition to get there.
– schroeder♦Jul 4 '18 at 13:34

Maybe. I might be confusing an ID used for a person and an ID to identify a phone, both are an identifier, but not an "identification number" according to you. I am having a hard time finding the definition for "identification number", maybe in a English based culture it is very obvious that those words only mean things like EIN or SSN. Reading the Dutch translation and definition of the words still makes we feel a phone number would fit perfectly. It describes any number that can be used to identify people. When my wife calls me I can see it is her (phone number), that meets that definition.
– Niels van ReijmersdalJul 4 '18 at 14:30

2

@NielsvanReijmersdal I can offer my perspective as a native English speaker: "identification number" usually means a number created for the purpose of uniquely identifying a person or a thing. There are many things that you could probably use to identify a person that wouldn't typically be called identification numbers. For example, a phone number isn't an identification number because its purpose is to contact a person (or a business or so on), not to identify them.
– David ZJul 5 '18 at 3:24